Zappos shows that big breaches are still part of the cyber crime outlook

We tend first to get blown away by data breach numbers: RECORDS OF 24 MILLION ZAPPOS.COM CUSTOMERS BREACHED. Then we sort of glaze over and shrug: <Just another big data breach.> Let’s face it, the “big” makes news, but the “big” isn’t what it’s all about.

The last Verizon Data Breach Investigations Report showed a significant increase in the breaches Verizon and the Secret Service investigated, but a startling decrease in the total number of records stolen. This trend was reflected in other data as well, suggesting (a) criminals are avoiding attacks on big enterprise databases in favor of attacks on smaller, less well protected companies; (b) more attacks are being discovered more quickly, before a lot of data can be extracted; (c) criminals are focusing more on targeted fraud against consumers and small businesses and/or (d) some other explanations that elude me (feel free to offer up your thoughts).

Then, of course, we get some spectacular breaches like Zappos and the sky is falling again.

The sky is not falling, of course. Cyber crime is more of a hard, steady rain from which we have to protect ourselves as best we can. What lessons can we draw from Zappos? Precious little at this point. We do not know, yet, how they were breached: Were they picked out and targeted, or just victims of a random attack that gained a foothold and was subsequently expoited; were employees sucked in by a spear-phishing attack? Was a zero-day vulnerability (Ooooooh!) exploited or, more likely, unpatched vulnerabilities (how dull)? How long was the breach and when did they discover it?

Judging by the size of the breach and the typical pattern for this type of attack, it lasted weeks or months, and was discovered by third parties. That’s an oft-repeated saga, so perhaps the most important lesson we can draw based on very little information is that chances are you will be breached, so the question is how are you going to discover it and how are you going to respond.

Do you have network monitoring and analysis tools checking you network for anomalous activity? RSA reportedly discovered the breach of data about its flagship SecurID product through use of NetWitness products; that worked out so well they bought the company. Are you monitoring logs for traffic going to strange IP addresses, leveraging your log management or SIEM products? Is your IPS monitoring outbound traffic? Any of the above?

One of the interesting points to note is that at the very least Zappos took the essential precautions to protect its customers by obscuring credit card numbers (only the last four digits were available to the attackers), encrypting passwords and expiring them when they learned of the breach. But the criminals came away with plenty of information to open new cards and/or, perhaps more significantly, send very authentic and convincing phishing messages. Recall that the giant breach of email marketing company Epsilon was clearly aimed at such information, rather than credit cards and/or credentials. So, let’s not breathe too deep a sigh of relief that some information was protected, and assume that the attackers consider the Zappos breach a success. The sky isn’t falling, but the rain continues to come down. Forecast: more rain.